Internet Virus: SunOS patches


Chuq Von Rospach (plaid!chuq@sun.com)
8 Nov 88 00:18:22 GMT


A few notes on the worm. It affects only machines with SMTP-based
connections to computer networks. If your machines are not connected to
outside organizations or are connected only by uucp, you are not at
risk and you may choose to not install these patches. If you do have a
connection with an outside organization (either on the Internet or with
an organization that might have an Internet connection) you are
potentially at risk to infestation. The connections with potential risk
are those that allow you to access another system via commands like
rlogin or telnet. If that is not possible, you are not at risk.

This worm is benign. It's primary purpose is to find other systems in which
to replicate. It does no damage to your system other than sapping system
resources. Under some circumstances, it can make systems crash due to
resource exhaustion, but otherwise causes few problems.

The worm was specifically targeted at Sun-3 and Vax computers. While the
security hole exists on Sun-2 and Sun-4 machines, they are not at risk from
the current virus. We recommend that you install these patches on any
machine that acts as a gateway between your organization and the rest of the
network and on any machine whose network address is publicly available to
the Internet. We recommend installing these patches on every machine. These
patches are not Sun-specific, they should work for all Berkeley-based Unix
systems.

These patches will work on Sun-2, Sun-3 and Sun-4 machines under releases
3.x and 4.0 and 386i machines under 4.0. Only Sun-3 machines running 3.x
are at risk from the current worm, but all machines are potentially at risk
for future variations of this attack, so every system should be corrected.

Patching sendmail:

The following instructions should be used to fix the security hole in
sendmail:

        1) log onto the system as root
        2) make a copy of sendmail
                # cd /usr/lib
                # cp sendmail sendmail.debug
        3) find the offset for the debug option in sendmail:
                # strings -o -a sendmail | egrep debug
                124882 debug
           [note: this number will vary depending on architecture and
            release. Make sure you use the number appropriate for your
            system!]
        4) start adb:
                # adb -w sendmail
           [note: adb does not print user prompts. Just type at it]
        5) put adb into base 10:
                [type the string:] ?m 0 0xffffffff 0
                [there is no response from adb]
                [type the string:] 0t10$d
                [adb responds:] radix=10 base ten
        6) verify the address of the of the debug option:
                [type the string:] 124882?s
                [adb should respond:] 124882: debug
           [note: make sure you use the correct number for your system here]
        7) disable the debug option:
                [type the string:] 124882?w 65535
                [adb should respond:] 124882: 25701 = 65535
           [note: make sure you use the correct number for your system here]
        8) exit adb:
                ^D
                #
        9) kill off your sendmail daemon and restart it.
                # ps -ax | grep sendmail
                1563 ? I 0:00 /usr/lib/sendmail -bd -q17m
                1849 p4 S 0:00 grep -i sendmail
                # kill 1563
                # /usr/lib/sendmail -bd -q17m &

        10) verify the debug option is disabled:
                # /usr/etc/mconnect
                connecting to host localhost (127.0.0.1), port 25
                connection open
                220 [system dependent header information here]
                [type: ] debug
                500 Command unrecognized
                [type: ] quit
                221 plaid.Sun.COM closing connection

Installing a new fingerd:

Attached to the end of this message is a new version of the program
/usr/etc/in.fingerd. This version fixes a security hole in that program.

To install this on your system, save the program to a file named
in.fingerd.c. Then compile the program with:

        % cc -O -o in.fingerd in.fingerd.c

Install the new fingerd as follows:

        % su
        # cp in.fingerd /usr/etc/in.fingerd.new
        # cd /usr/etc
        # mv in.fingerd in.fingerd.orig
        # mv in.fingerd.new in.fingerd
        # chown root in.fingerd
        # chmod 755 in.fingerd

Then reboot your system to re-initialize the daemons.

----- Begin of file in.fingerd.c -----
/*
 * Copyright (c) 1983 Regents of the University of California.
 * All rights reserved. The Berkeley software License Agreement
 * specifies the terms and conditions for redistribution.
 */

#ifndef lint
char copyright[] =
"@(#) Copyright (c) 1983 Regents of the University of California.\n\
 All rights reserved.\n";
#endif not lint

#ifndef lint
static char sccsid[] = "@(#)in.fingerd.c 1.4 88/02/08 SMI"; /* from UCB 5.1 6/6/85 */
#endif not lint

/*
 * Finger server.
 */
#include <sys/types.h>
#include <netinet/in.h>

#include <stdio.h>
#include <ctype.h>

main(argc, argv)
        char *argv[];
{
        register char *sp;
        char line[512];
        struct sockaddr_in sin;
        int i, p[2], pid, status;
        FILE *fp;
        char *av[4];

        i = sizeof (sin);
        if (getpeername(0, &sin, &i) < 0)
                fatal(argv[0], "getpeername");
        line[0] = '\0';
        (void) fgets(line, sizeof(line), stdin);
        sp = line;
        av[0] = "finger";
        i = 1;
        while (1) {
                while (isspace(*sp))
                        sp++;
                if (!*sp)
                        break;
                if (*sp == '/' && (sp[1] == 'W' || sp[1] == 'w')) {
                        sp += 2;
                        av[i++] = "-l";
                }
                if (*sp && !isspace(*sp)) {
                        av[i++] = sp;
                        while (*sp && !isspace(*sp))
                                sp++;
                        *sp = '\0';
                }
        }
        av[i] = 0;
        if (pipe(p) < 0)
                fatal(argv[0], "pipe");
        if ((pid = fork()) == 0) {
                close(p[0]);
                if (p[1] != 1) {
                        dup2(p[1], 1);
                        close(p[1]);
                }
                execv("/usr/local/finger", av);
                execv("/usr/ucb/finger", av);
                printf("No local finger program found\n");
                fflush(stdout);
                _exit(1);
        }
        if (pid == -1)
                fatal(argv[0], "fork");
        close(p[1]);
        if ((fp = fdopen(p[0], "r")) == NULL)
                fatal(argv[0], "fdopen");
        while ((i = getc(fp)) != EOF) {
                if (i == '\n')
                        putchar('\r');
                putchar(i);
        }
        fclose(fp);
        while ((i = wait(&status)) != pid && i != -1)
                ;
        return(0);
}

fatal(prog, s)
        char *prog, *s;
{

        fprintf(stderr, "%s: ", prog);
        perror(s);
        exit(1);
}
----- end of in.fingerd.c -----

----- end of virus patch message -----



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT